Do I really need an information security policy?
InfoSec Policy, Standards and Procedures - don't leave home without them!
Implementing a Security Policy is all about mitigating risk. The goal is to prevent any unauthorized access, use, disruption, manipulation, or destruction of information. Since we have hackers and bots and new breeds of AI and Computer Learning attacking our networks every second of every day, the need for security policy is only increasing. Security policies are designed to protect against risk are legal documents which require binding practices.
Any fan of Mr. Robot could probably rattle off the top 10 more commonly known threats to information security like Trojans, worms, viruses, payloads, malware, phishing, keyloggers, denial of service, eavesdropping, you name it!
In addition to treats, it seems as though we are offered the following defenses until we are tone deaf to their benefits, multi-factor authentication, firewalls, intrusion detection system, intrusion prevention system, honeypots, mobile secure gateways, secure coding, anti-virus software and so on…
Whether you’re adopting ISO 27001/27002 or NIST SP800 standards, regulated by the HITECH act, NIST, FIPS, or many other awesome alpha numeric standards that dictate the CIA-Triad or other alphabet soup related to security, all of our needs are the same.
Our companies require administrative, logical, and physical controls to manage our risk. We need access control through identification, authentication, and proper authorization. This policy must cycle and adapt as the threats and industry change.
Once a threat happens, what is our incidence response plan? What standards are we being held accountable to? Bottom line, we need a security policy to put in place controls to mitigate our risk without bringing our business to a screeching halt. The scope of the standards should cover specific technology like cloud computing, desktop PC, servers - physical or virtual, email, Wi-Fi communication and all related tech.
Think of a successful security policy operating as routinely as you think of backing up your data. It is an active standard you implement to manage everything from your network configuration and LDAP or active directory to your server or PC security. Security policies are not cookie cutter and should be customized based on your company’s specific assessment and needs. Consider reviewing your policy each time you have an external or internal penetration test and vulnerability assessment performed. If you do not have a security policy in place currently, please contact us at Velocity Tech Solutions. We’d be happy to begin the conversation with you and put a plan in place.